1 The Turla Waterhole attack was a malicious reconnaissance campaign that targeted ministry and embassy websites. All of the targeted websites were also located in Washington, D.C. This attack allowed the threat actor to track users that visited the compromised websites without their knowledge. It is believed that the threat actor was using these compromised websites to secretly track dissidents on the internet. Lets Get Started Turla Waterhole Attack Investigation Log in to RiskIQ PassiveTotal™. https://community.riskiq.com/login In this exercise, you have been given a compromised device. During your investigation, you have isolated a compromised system communicating to rss.nbcpost.com. You are tasked with investigating the domain to gain more information about the threat actor and understand what they are doing. STEP 1: In the Discover window type: “rss[.]nbcpost[.]com” without the quotes or [] and hit the Enter key. STEP 2:
11
Embed
Turla Waterhole Attack Investigation - RiskIQ · The Turla Waterhole attack was a malicious reconnaissance campaign that targeted ministry and embassy websites. All of the targeted
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
The Turla Waterhole attack was a malicious reconnaissance campaign that targeted ministry and embassy websites.
All of the targeted websites were also located in Washington, D.C. This attack allowed the threat actor to track
users that visited the compromised websites without their knowledge. It is believed that the threat actor was using
these compromised websites to secretly track dissidents on the internet.
Lets Get Started
Turla Waterhole Attack Investigation
Log in to RiskIQ PassiveTotal™. https://community.riskiq.com/login
In this exercise, you have been given a compromised device. During your investigation, you have
isolated a compromised system communicating to rss.nbcpost.com. You are tasked with investigating
the domain to gain more information about the threat actor and understand what they are doing.
STEP 1:
In the Discover window type: “rss[.]nbcpost[.]com” without the quotes or [] and hit the Enter key.STEP 2:
Turla Waterhole Attack Investigation Exercise
2
Investigate the Host Pair Tab
• What type of domains are listed?
• Are the domains malicious or non-malicious?
• What causes the domains to be associated with rss[.]nbcpost[.]com?
• What does it mean to be a parent domain to rss[.]nbcpost[.]com?
STEP 3:
As you investigate each domain click the box next to the domain name and modify the Host Pair
Domain.
Classify the Host Pairs as Malicious or Non-Malicious.
You can even add a custom tag to mark the Host Pair domain like embassy, gov, commercial, social-
media.
STEP 4:
Turla Waterhole Attack Investigation Exercise
3
Right click on www[.]namibianembassyusa[.]org and open link in a new tabSTEP 5:
Clicking on the PassiveTotal Tab showing www[.]namibianembassyusa[.]org
Click on the Tracker tab
Investigate clickyId 10673048 by right clicking on the value and open the link in a new tab.
STEP 6:
Turla Waterhole Attack Investigation Exercise
4
Examine the Tracker search results for www[.]namibianembassyusa[.]org
Results show the relationship between the tracking id and other domains. These domains appear to be
associated with governments and/or embassies.
STEP 7:
Examine the Domain www[.]russianembasy[.]org
Look to see if you find any results only last a couple of days?
STEP 8:
Turla Waterhole Attack Investigation Exercise
5
Investigate Trackers www[.]russianembasy[.]org
Google Analytics Account Number ua-38543209
And
Google Analytics Tracking Id ua-98543209-5
right clicking on each tracker and open the link in a new tab.
Trackers show a relationship between these trackers and
STEP 9:
Examine the results for Google Analytics Account Number ua-38543209
All of the websites are associated with this same tracker and are part of the threat actors campaign.
STEP 10:
Turla Waterhole Attack Investigation Exercise
6
Examine the results for Google Analytics Tracking Id ua-98543209-5
All of the websites are associated with this same tracker and are part of the threat actors campaign.
STEP 11:
Go back to www[.]namibianembassyusa[.]org and Investigate the following Host Pair Domains:
www[.]mentalhealthcheck[.]net
and
cdnnetwork[.]ocry[.]com
right clicking on each domain and open the link in a new tab.
STEP 12:
Turla Waterhole Attack Investigation Exercise
7
Examine the Host Pairs for www[.]mentalhealthcheck[.]net
Here we see additional websites associated with attack campaign.
STEP 13:
Examine the Host Pairs for cdnnetwork[.]ocry[.]com
Here we see associations connecting to the Jordan Embassy.
STEP 14:
Turla Waterhole Attack Investigation Exercise
8
Right click on jordanembassyus[.]org that has a Cause from script.src and open link in a new tabSTEP 15:
Examine Trackers for jordanembassyus[.]org
Investigate Google Analytics Account Number ua-24940001
And
Google Analytics Tracking Id ua-24940001-1
right clicking on each tracker and open the link in a new tab.
STEP 16:
Turla Waterhole Attack Investigation Exercise
9
Go back to the tab for rss[.]nbcpost[.]com
Click on the cookie tab
Investigate cookie named PNPSESSID
right clicking on the cookie name and open the link in a new tab.
STEP 17:
This cookie was used to track users on all of the websites listed. STEP 18:
Turla Waterhole Attack Investigation Exercise
10
Go back to the tab for rss[.]nbcpost[.]com
Review the project tab.
Click on the project named “PassiveTotal: Turla’s Watering Hole Attack Campaign”